update default route behaviour and document the same (#71)

sourcefuse · Feb 6, 2024 · 3f02644 · 3f02644
1 parent f827174
commit 3f02644
Show file tree

Hide file tree

Showing 7 changed files with 108 additions and 87 deletions.
diff --git a/.gitignore b/.gitignore
@@ -2,6 +2,7 @@
 terraform.tfstate
 *.tfstate*
 terraform.tfvars
+**.override*
 *.backup
 *.idea
 /secrets
diff --git a/docs/module-usage-guide/README.md b/docs/module-usage-guide/README.md
@@ -80,6 +80,10 @@ This example will create:
 ### Tips and Recommendations
 
 - If you want to create custom subnet ranges, check [example](https://github.com/sourcefuse/terraform-aws-arc-network/tree/main/examples/cistom-subnets)
+- When creating custom subnet ranges with this module, if you `set custom_nat_gateway_enabled` to `false` then make sure that you either
+  a) set the variable `custom_az_ngw_ids` with an appropriate map of availability zone to nat gateway id
+  OR
+  b) set your own default route using aws_route resource
 
 ## Troubleshooting
 

diff --git a/examples/custom-subnets/.terraform.lock.hcl b/examples/custom-subnets/.terraform.lock.hcl
diff --git a/examples/custom-subnets/README.md b/examples/custom-subnets/README.md
@@ -8,7 +8,8 @@ This example shows how to pass in custom subnet configuration, overriding the de
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | ~> 1.3 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 4.0 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.0 |
+| <a name="requirement_awsutils"></a> [awsutils](#requirement\_awsutils) | ~> 0.18 |
 
 ## Providers
 
@@ -18,7 +19,7 @@ No providers.
 
 | Name | Source | Version |
 |------|--------|---------|
-| <a name="module_network"></a> [network](#module\_network) | sourcefuse/arc-network/aws | 2.6.1 |
+| <a name="module_network"></a> [network](#module\_network) | ../../ | n/a |
 | <a name="module_tags"></a> [tags](#module\_tags) | sourcefuse/arc-tags/aws | 1.2.3 |
 
 ## Resources

diff --git a/examples/custom-subnets/main.tf b/examples/custom-subnets/main.tf
@@ -7,7 +7,11 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "~> 4.0"
+      version = "~> 5.0"
+    }
+    awsutils = {
+      source  = "cloudposse/awsutils"
+      version = "~> 0.18"
     }
   }
 }
@@ -16,6 +20,10 @@ provider "aws" {
   region = var.region
 }
 
+provider "awsutils" {
+  region = var.region
+}
+
 module "tags" {
   source  = "sourcefuse/arc-tags/aws"
   version = "1.2.3"
@@ -32,8 +40,8 @@ module "tags" {
 ## network
 ################################################################
 module "network" {
-  source                      = "sourcefuse/arc-network/aws"
-  version                     = "2.6.1"
+  source = "../../" #"sourcefuse/arc-network/aws"
+  #version                     = "2.6.1"
   namespace                   = var.namespace
   environment                 = var.environment
   availability_zones          = var.availability_zones
@@ -67,14 +75,25 @@ module "network" {
     }
   ]
 
+  // If have disabled the default nat gateways for your custom subnetes
+  // then you need to pass a nat gateway id for each private subnet that
+  // you are creating. If custom_az_ngw_ids is left empty in this case
+  // then no default route is created by the module.
+
+  custom_nat_gateway_enabled = false
+  custom_az_ngw_ids = {
+    "us-east-1a" = "ngw-13df3f3" // Dummy NAT gateway IDs. Use data sources or resource attributes instead.
+    "us-east-1b" = "ngw-12cesc3"
+  }
+
   client_vpn_authorization_rules = [
     {
       target_network_cidr  = var.vpc_ipv4_primary_cidr_block
       authorize_all_groups = true
       description          = "default authorization group to allow all authenticated clients to access the vpc"
     }
   ]
-  /// if no vpc endpoint is required then you can remove this block with gateway_endpoint_route_table_filter
+  // if no vpc endpoint is required then you can remove this block with gateway_endpoint_route_table_filter
   vpc_endpoint_config = {
     s3         = true
     kms        = false

diff --git a/modules/subnets/locals.tf b/modules/subnets/locals.tf
@@ -1 +1,11 @@
-locals {}
+locals {
+  // The following locals map a private subnet to respective public subnet,
+  // and if nat_gateway_enabled is true then this is used to update
+  // routes to public internet in the respective private subnet in the following local.
+  // If it is not true then it takes the value from the variable az_ngw_ids
+  // and maps it to the private subnet. If even that is empty,
+  // then no routes to public internet are added.
+  public_internet_mapping = { for x in var.private_subnets : x.name => replace(x.name, "-private-", "-public-") if var.nat_gateway_enabled == true }
+
+  subnet_ngw_ids = { for x in var.private_subnets : x.name => var.nat_gateway_enabled == true ? aws_nat_gateway.public[local.public_internet_mapping[x.name]].id : lookup(var.az_ngw_ids, x.availability_zone, null) }
+}
diff --git a/modules/subnets/main.tf b/modules/subnets/main.tf
@@ -84,7 +84,7 @@ resource "aws_route_table" "private" {
 }
 
 resource "aws_route" "default" {
-  for_each = var.az_ngw_ids
+  for_each = { for x in var.private_subnets : x.name => local.subnet_ngw_ids[x.name] if local.subnet_ngw_ids[x.name] != null }
 
   route_table_id         = aws_route_table.private[each.key].id
   nat_gateway_id         = each.value